CVE-2017-18349

CRITICAL EXPLOITED NUCLEI

Fastjson Insecure Deserialization - Remote Code Execution

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2017-18349 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including h0cksr, Dungsocool. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2017-18349, a Fastjson deserialization vulnerability. It demonstrates remote code execution by leveraging JNDI injection via a malicious RMI server to execute arbitrary commands (e.g., touching a file).

Description

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

Exploits (2)

nomisec WORKING POC 2 stars
by h0cksr · poc
https://github.com/h0cksr/Fastjson--CVE-2017-18349-

This repository contains a proof-of-concept exploit for CVE-2017-18349, a Fastjson deserialization vulnerability. It demonstrates remote code execution by leveraging JNDI injection via a malicious RMI server to execute arbitrary commands (e.g., touching a file).

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Fastjson (versions affected by CVE-2017-18349)
No auth needed
Prerequisites: Access to a vulnerable Fastjson endpoint · Ability to host a malicious RMI server · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by Dungsocool · poc
https://github.com/Dungsocool/CVE-2017-18349

This repository provides a detailed technical analysis of CVE-2017-18349, focusing on the exploitation of Fastjson 1.2.24 via deserialization and JNDI injection. It includes step-by-step fingerprinting, version verification, and exploitation methodology but does not contain functional exploit code.

Classification
Writeup 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: Fastjson 1.2.24
No auth needed
Prerequisites: Fastjson 1.2.24 · Java 8u102 or similar vulnerable JVM · JNDI-Injection-Exploit tool · HTTP server for hosting malicious class
devstral-2 · analyzed May 29, 2026 Full analysis →

Nuclei Templates (1)

Fastjson Insecure Deserialization - Remote Code Execution
CRITICALVERIFIEDby night

References (3)

Core 3
Core References
Mitigation, Third Party Advisory x_refsource_misc
https://fortiguard.com/encyclopedia/ips/44059
Mitigation, Third Party Advisory x_refsource_misc
https://github.com/alibaba/fastjson/wiki/security_update_20170315
Exploit, Third Party Advisory x_refsource_misc
https://github.com/pippo-java/pippo/issues/466

Scores

CVSS v3 9.8
EPSS 0.9069
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-01-22
CWE
CWE-20
Status published
Products (4)
alibaba/fastjson < 1.2.25
com.alibaba/fastjson 0 - 1.2.31Maven
pippo/pippo 1.11.0
ro.pippo/pippo-fastjson 0 - 1.12.0Maven
Published Oct 23, 2018
Tracked Since Feb 18, 2026